summaryrefslogtreecommitdiff
path: root/man/systemd.exec.xml
diff options
context:
space:
mode:
authorTopi Miettinen <topimiettinen@users.noreply.github.com>2016-06-03 15:58:18 +0000
committerLennart Poettering <lennart@poettering.net>2016-06-03 17:58:18 +0200
commitf3e43635932c14f8f0aea078adf3bfe09a9ba683 (patch)
tree33371a308779fe106a49449cab1841ea1b4ec407 /man/systemd.exec.xml
parentde4503c8d9ea9799437695c988296cc532530a14 (diff)
core: Restrict mmap and mprotect with PAGE_WRITE|PAGE_EXEC (#3319) (#3379)
New exec boolean MemoryDenyWriteExecute, when set, installs a seccomp filter to reject mmap(2) with PAGE_WRITE|PAGE_EXEC and mprotect(2) with PAGE_EXEC.
Diffstat (limited to 'man/systemd.exec.xml')
-rw-r--r--man/systemd.exec.xml16
1 files changed, 16 insertions, 0 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 58f18f3a9e..4a3dd14c39 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1388,6 +1388,22 @@
<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>MemoryDenyWriteExecute=</varname></term>
+
+ <listitem><para>Takes a boolean argument. If set, attempts to create memory mappings that are writable and
+ executable at the same time, or to change existing memory mappings to become executable are prohibited.
+ Specifically, a system call filter is added that rejects
+ <citerefentry><refentrytitle>mmap</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ system calls with both <constant>PROT_EXEC</constant> and <constant>PROT_WRITE</constant> set
+ and <citerefentry><refentrytitle>mprotect</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ system calls with <constant>PROT_EXEC</constant> set. Note that this option is incompatible with programs
+ that generate program code dynamically at runtime, such as JIT execution engines, or programs compiled making
+ use of the code "trampoline" feature of various C compilers. This option improves service security, as it makes
+ harder for software exploits to change running code dynamically.
+ </para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>